Coinbase confirms insider breach impacting nearly 70K users amid $20M extortion attempt

Coinbase confirms insider breach impacting nearly 70K users amid $20M extortion attempt

A large-scale extortion scheme targeting Coinbase users has exposed personal information of nearly 70,000 customers, the US-based cryptocurrency exchange confirmed in a data breach notification.

Coinbase revealed that the breach, which it attributed to insider misconduct at an overseas customer support center, occurred on December 26, 2024, but went undetected until May 11, 2025 — the day the attackers demanded a $20 million ransom in exchange for not releasing the stolen data.

Rather than pay the ransom, Coinbase has offered a $20 million reward for information leading to the identification and arrest of those behind the attack. The breach affected 69,461 users, with the compromised data reportedly fueling a months-long phishing campaign that netted tens of millions of dollars from targeted customers.

Taylor Monahan, head of security at MetaMask, disputed the timeline presented by Coinbase, suggesting that attackers had insider access for much longer than acknowledged.

“Threat actors had ongoing access via multiple insiders over a prolonged period of time,” Monahan wrote on X, citing a May 16 article by Cryptoforensic Investigators.

The investigative report alleged that hackers began using stolen information months before the official breach date, successfully targeting high-net-worth Coinbase users through coordinated phishing, social engineering, and vishing scams. One victim reportedly lost 400 BTC — valued at over $27 million — in a single incident.

Cryptoforensic Investigators estimate that the breach may have begun as far back as mid-2024, with attackers gaining increasing access and sophistication in targeting victims.


Back to the list

Latest Posts

Critical vBulletin vulnerability exploited in the wild

Critical vBulletin vulnerability exploited in the wild

CVE-2025-48827 and CVE-2025-48828 affect vBulletin versions 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 running on PHP 8.1 or newer.
2 June 2025
BitMEX crypto exchange targeted in Lazarus phishing attack

BitMEX crypto exchange targeted in Lazarus phishing attack

One of BitMEX's employees was targeted on LinkedIn by a fake recruiter promoting a job at an NFT project.
2 June 2025
Hackers target Korean internet cafés with CoinMiner attacks using Gh0st RAT

Hackers target Korean internet cafés with CoinMiner attacks using Gh0st RAT

The attackers focused on internet café systems running specialized management software used to track customer usage and automate billing.
2 June 2025